SamSam: The (Almost) Six Million Dollar Ransomware

Sophos, a global leader in network and endpoint security, released an in-depth investigation white paper on the SamSam ransomware attacks that first appeared in December 2015. Titled ‘SamSam: The (Almost) Six Million Dollar Ransomware’, this whitepaper aims to provide a comprehensive understanding of this unique ransomware attack by summarizing key findings about the attacker’s tools, techniques, and protocols.

Unlike most ransomware, SamSam is a thorough encryption tool, rendering not only work data files unusable but any program that is not essential to the operation of a Windows computer, most of which are not routinely backed up. SamSam’s attacking method is unique as it is manual and as a result, attackers can employ countermeasures (if needed) to evade many security tools. If the process of encrypting data is interrupted, the malware is capable of comprehensively erasing all trace of itself immediately, hindering any investigation. Furthermore, recovery from the attack may require reimaging and/or reinstalling software as well as restoring backups. As a result, many victims were not able to recover sufficiently or quickly enough to ensure business continuity and had to pay the ransom.

Key findings from the SamSam ransomware paper:

  • Sophos has revealed that 74 per cent of the known victims are based in the United States. Other regions known to have suffered attacks include Australia (2%), India (1%), the Middle East (1%), Canada (5%), and the UK (8%).
  • Some victims reported a widespread ransomware event that significantly impacted operations of some large organizations, including hospitals, schools and cities.
  • From tracking Bitcoin payments made to known wallet addresses owned by the attacker, Sophos has calculated the SamSam take as exceeding US$5.9 million[1] – unlike previously known figures of USD $85,000 in ransom.

According to Peter Mackenzie, Global Malware Escalations Manager at Sophos, “Most ransomware is spread in large, noisy and untargeted spam campaigns using simple techniques to infect victims and demand relatively small sums in ransom. What sets SamSam apart is that it’s a targeted attack tailored to cause maximum damage and ransom demands are measured in the tens of thousands of dollars. The attack method is surprisingly manual, and more cat burglar than smash-and-grab. As a result, the attacker can employ countermeasures to evade security tools and if interrupted can delete all trace of itself immediately, to hinder investigation.”

Mackenzie added, “SamSam is a reminder to businesses that they need to actively manage their security strategy. By deploying a defense-in-depth approach, they can ensure their network is less visible and open to attack to avoid being the low hanging fruit the hacker is searching for. We recommend IT managers follow security best practices, including hard-to-crack passwords and rigorous patching.”

Sophos recommends the following four security measures:

  • Restrict access to port 3389 (RDP) by only allowing staff who use a VPN to be able to remotely access any systems. Utilize multi-factor authentication for VPN access.
  • Complete regular vulnerability scans and penetration tests across the network; if you have not followed through on recent pen-testing reports, do it now.
  • Activate multi-factor authentication for sensitive internal systems, even for employees on the LAN or VPN.
  • Create back-ups that are offline and offsite, and develop a disaster recovery plan that covers the restoration of data and whole systems.

For more information, please refer to the detailed whitepaper here, as well as an article on naked Security here.

SamSam: The (Almost) Six Million Dollar Ransomware 1
SamSam: The (Almost) Six Million Dollar Ransomware 2
SamSam: The (Almost) Six Million Dollar Ransomware 3
SamSam: The (Almost) Six Million Dollar Ransomware 4
SamSam: The (Almost) Six Million Dollar Ransomware 5